chore: initial public commit

2026-04-22 12:01:52 -07:00 · 2025-06-11 19:45:39 -04:00 · 2025-06-11 19:45:39 -04:00 · fc9054b78c
commit fc9054b78c
250 changed files with 32809 additions and 0 deletions
--- a/engine/middleware/hosts.go
+++ b/engine/middleware/hosts.go
@ -0,0 +1,24 @@
+package middleware
+
+import (
+	"net/http"
+	"slices"
+
+	"github.com/gabehf/koito/internal/cfg"
+	"github.com/gabehf/koito/internal/logger"
+)
+
+func AllowedHosts(next http.Handler) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		l := logger.Get()
+		if cfg.AllowAllHosts() {
+			next.ServeHTTP(w, r)
+			return
+		} else if slices.Contains(cfg.AllowedHosts(), r.Host) {
+			next.ServeHTTP(w, r)
+			return
+		}
+		l.Warn().Msgf("Request denied from host %s. If you want to allow requests like this, add the host to your %s variable", r.Host, cfg.ALLOWED_HOSTS_ENV)
+		w.WriteHeader(http.StatusForbidden)
+	})
+}
--- a/engine/middleware/middleware.go
+++ b/engine/middleware/middleware.go
@ -0,0 +1,103 @@
+package middleware
+
+import (
+	"context"
+	"crypto/rand"
+	"math/big"
+	"net/http"
+	"runtime/debug"
+	"strings"
+	"time"
+
+	"github.com/go-chi/chi/v5/middleware"
+	"github.com/rs/zerolog"
+
+	"github.com/gabehf/koito/internal/logger"
+	"github.com/gabehf/koito/internal/utils"
+)
+
+type RequestIDHook struct{}
+
+func (h RequestIDHook) Run(e *zerolog.Event, level zerolog.Level, msg string) {
+	if ctx := e.GetCtx(); ctx != nil {
+		if reqID, ok := ctx.Value("requestID").(string); ok {
+			e.Str("request_id", reqID)
+		}
+	}
+}
+
+const requestIDKey MiddlwareContextKey = "requestID"
+
+const base62Chars = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"
+
+func GenerateRequestID() string {
+	const length = 8 // ~0.23% chance of collision in 1M requests
+	id := make([]byte, length)
+	for i := 0; i < length; i++ {
+		n, _ := rand.Int(rand.Reader, big.NewInt(int64(len(base62Chars))))
+		id[i] = base62Chars[n.Int64()]
+	}
+	return string(id)
+}
+
+func WithRequestID(next http.Handler) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		reqID := GenerateRequestID()
+		ctx := context.WithValue(r.Context(), requestIDKey, reqID)
+
+		w.Header().Set("X-Request-ID", reqID)
+		next.ServeHTTP(w, r.WithContext(ctx))
+	})
+}
+
+// GetRequestID extracts the request ID from context
+func GetRequestID(ctx context.Context) string {
+	if val, ok := ctx.Value(requestIDKey).(string); ok {
+		return val
+	}
+	return ""
+}
+
+// Logger logs requests and injects a request-scoped logger with a request ID into the context.
+func Logger(baseLogger *zerolog.Logger) func(next http.Handler) http.Handler {
+	return func(next http.Handler) http.Handler {
+		fn := func(w http.ResponseWriter, r *http.Request) {
+			reqID := GetRequestID(r.Context())
+			l := baseLogger.With().Str("request_id", reqID).Logger()
+
+			// Inject logger with request_id into the context
+			r = logger.Inject(r, &l)
+
+			ww := middleware.NewWrapResponseWriter(w, r.ProtoMajor)
+			t1 := time.Now()
+			defer func() {
+				t2 := time.Now()
+				if rec := recover(); rec != nil {
+					l.Error().
+						Str("type", "error").
+						Timestamp().
+						Interface("recover_info", rec).
+						Bytes("debug_stack", debug.Stack()).
+						Msg("log system error")
+					utils.WriteError(ww, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
+					return
+				}
+				pathS := strings.Split(r.URL.Path, "/")
+				if len(pathS) > 1 && pathS[1] == "apis" {
+					l.Info().
+						Str("type", "access").
+						Timestamp().
+						Msgf("Received %s %s - Responded with %d in %.2fms", r.Method, r.URL.Path, ww.Status(), float64(t2.Sub(t1).Nanoseconds())/1_000_000.0)
+				} else {
+					l.Debug().
+						Str("type", "access").
+						Timestamp().
+						Msgf("Received %s %s - Responded with %d in %.2fms", r.Method, r.URL.Path, ww.Status(), float64(t2.Sub(t1).Nanoseconds())/1_000_000.0)
+				}
+
+			}()
+			next.ServeHTTP(ww, r)
+		}
+		return http.HandlerFunc(fn)
+	}
+}
--- a/engine/middleware/validate.go
+++ b/engine/middleware/validate.go
@ -0,0 +1,106 @@
+package middleware
+
+import (
+	"context"
+	"net/http"
+	"strings"
+	"time"
+
+	"github.com/gabehf/koito/internal/db"
+	"github.com/gabehf/koito/internal/logger"
+	"github.com/gabehf/koito/internal/models"
+	"github.com/gabehf/koito/internal/utils"
+	"github.com/google/uuid"
+)
+
+type MiddlwareContextKey string
+
+const (
+	UserContextKey   MiddlwareContextKey = "user"
+	apikeyContextKey MiddlwareContextKey = "apikeyID"
+)
+
+func ValidateSession(store db.DB) func(next http.Handler) http.Handler {
+	return func(next http.Handler) http.Handler {
+		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			l := logger.FromContext(r.Context())
+			cookie, err := r.Cookie("koito_session")
+			var sid uuid.UUID
+			if err == nil {
+				sid, err = uuid.Parse(cookie.Value)
+				if err != nil {
+					utils.WriteError(w, "session cookie is invalid", http.StatusUnauthorized)
+					return
+				}
+			}
+
+			l.Debug().Msg("Retrieved login cookie from request")
+
+			u, err := store.GetUserBySession(r.Context(), sid)
+			if err != nil {
+				l.Err(err).Msg("Failed to get user from session")
+				utils.WriteError(w, "internal server error", http.StatusInternalServerError)
+				return
+			}
+			if u == nil {
+				utils.WriteError(w, "unauthorized", http.StatusUnauthorized)
+				return
+			}
+
+			ctx := context.WithValue(r.Context(), UserContextKey, u)
+			r = r.WithContext(ctx)
+
+			l.Debug().Msgf("Refreshing session for user '%s'", u.Username)
+
+			store.RefreshSession(r.Context(), sid, time.Now().Add(30*24*time.Hour))
+
+			l.Debug().Msgf("Refreshed session for user '%s'", u.Username)
+
+			next.ServeHTTP(w, r)
+		})
+	}
+}
+
+func ValidateApiKey(store db.DB) func(next http.Handler) http.Handler {
+	return func(next http.Handler) http.Handler {
+		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			ctx := r.Context()
+			l := logger.FromContext(ctx)
+
+			authh := r.Header.Get("Authorization")
+			s := strings.Split(authh, "Token ")
+			if len(s) < 2 {
+				l.Debug().Msg("Authorization header must be formatted 'Token {token}'")
+				utils.WriteError(w, "unauthorized", http.StatusUnauthorized)
+				return
+			}
+
+			key := s[1]
+
+			u, err := store.GetUserByApiKey(ctx, key)
+			if err != nil {
+				l.Err(err).Msg("Failed to get user from database using api key")
+				utils.WriteError(w, "internal server error", http.StatusInternalServerError)
+				return
+			}
+			if u == nil {
+				l.Debug().Msg("Api key does not exist")
+				utils.WriteError(w, "unauthorized", http.StatusUnauthorized)
+				return
+			}
+
+			ctx = context.WithValue(r.Context(), UserContextKey, u)
+			r = r.WithContext(ctx)
+
+			next.ServeHTTP(w, r)
+		})
+	}
+}
+
+func GetUserFromContext(ctx context.Context) *models.User {
+	user, ok := ctx.Value(UserContextKey).(*models.User)
+	if !ok {
+		return nil
+	}
+	return user
+}